HIPAA Compliance Assessment with AI: A SAISA Case Study
Healthcare data handling under the SAISA. Industry schedules, data processing terms, and compliance attestation.
Healthcare organizations face unique challenges when deploying AI agents. HIPAA requirements for Protected Health Information (PHI) add compliance layers that generic AI governance does not address. The SAISA, combined with healthcare-specific industry schedules, provides the framework.
The Use Case
A healthcare provider wants to assess their HIPAA compliance posture using an AI agent. The agent will:
- Review existing policies and procedures
- Identify gaps against HIPAA Security Rule requirements
- Generate a prioritized remediation roadmap
- Draft policy updates to address gaps
The challenge: the agent may need to review documents containing PHI references, employee information, and sensitive security controls.
Industry Schedule: Healthcare (Schedule H)
For healthcare engagements, the Paper references Schedule H, which adds:
{
"scheduleH": {
"applicability": "HIPAA Covered Entity or Business Associate",
"phiHandling": {
"minimumNecessary": true,
"deIdentificationRequired": "PREFERRED",
"directPhiAccess": false
},
"businessAssociateAgreement": {
"required": true,
"attachedAs": "Exhibit C"
},
"breachNotification": {
"timeline": "24 hours",
"contactMethod": "[email protected]"
},
"auditControls": {
"accessLogging": "REQUIRED",
"retentionYears": 6
}
}
}The HIPAA Compliance Paper
{
"paperId": "paper_hipaa_assessment_001",
"agent": {
"id": "hipaa-assessor-v3",
"developer": "HealthTech Compliance AI",
"certifications": ["HITRUST_CERTIFIED"]
},
"scheduleIds": ["H"],
"executionManifest": {
"maxCostCents": 750000,
"timelineDays": 14,
"completionCriteria": [
// Coverage
"All 18 HIPAA Security Rule standards addressed",
"All 36 implementation specifications evaluated",
"Administrative, Physical, and Technical safeguards covered",
// Assessment Quality
"Each standard rated: Compliant, Partially Compliant, Non-Compliant",
"Each finding includes regulatory citation (45 CFR section)",
"Each gap includes risk severity (Critical/High/Medium/Low)",
// Deliverables
"Gap analysis report in NIST CSF format",
"Remediation roadmap with estimated effort per item",
"Draft policies for top 5 critical gaps",
// PHI Handling
"No PHI retained in deliverables",
"All examples use de-identified data"
],
"permissionScopes": [
"read_context",
"read_documents"
],
"allowedEgressUrls": []
},
"exhibits": [
{
"id": "policies",
"name": "Current HIPAA Policies",
"type": "document_folder",
"phiStatus": "REFERENCES_ONLY"
},
{
"id": "inventory",
"name": "ePHI Systems Inventory",
"type": "spreadsheet",
"phiStatus": "DE_IDENTIFIED"
},
{
"id": "baa_template",
"name": "Business Associate Agreement",
"type": "application/pdf"
}
]
}PHI Handling Requirements
When AI agents process healthcare data, additional controls apply:
Minimum Necessary
The agent should only access the minimum PHI necessary to perform the assessment. For compliance reviews, this often means NO direct PHI access - only policies, procedures, and de-identified system descriptions.
Business Associate Agreement
If the agent processes PHI, a BAA must be in place between the Covered Entity (Buyer) and the Developer. The BAA is attached as an exhibit and referenced in the Paper.
Breach Notification
Schedule H specifies 24-hour breach notification (stricter than the SAISA default of 72 hours). This aligns with HIPAA's requirements for prompt notification.
Acceptance Criteria for HIPAA Assessments
Good HIPAA assessment criteria reference specific regulations:
{
"completionCriteria": [
// Administrative Safeguards (45 CFR 164.308)
"164.308(a)(1) - Security Management Process: evaluated",
"164.308(a)(2) - Assigned Security Responsibility: evaluated",
"164.308(a)(3) - Workforce Security: evaluated",
"164.308(a)(4) - Information Access Management: evaluated",
"164.308(a)(5) - Security Awareness Training: evaluated",
"164.308(a)(6) - Security Incident Procedures: evaluated",
"164.308(a)(7) - Contingency Plan: evaluated",
"164.308(a)(8) - Evaluation: evaluated",
"164.308(b)(1) - Business Associate Contracts: evaluated",
// Physical Safeguards (45 CFR 164.310)
"164.310(a)(1) - Facility Access Controls: evaluated",
"164.310(b) - Workstation Use: evaluated",
"164.310(c) - Workstation Security: evaluated",
"164.310(d)(1) - Device and Media Controls: evaluated",
// Technical Safeguards (45 CFR 164.312)
"164.312(a)(1) - Access Control: evaluated",
"164.312(b) - Audit Controls: evaluated",
"164.312(c)(1) - Integrity: evaluated",
"164.312(d) - Authentication: evaluated",
"164.312(e)(1) - Transmission Security: evaluated"
]
}Deliverable Example
A structured HIPAA assessment finding:
{
"finding": {
"id": "HIPAA-2026-001",
"standard": "164.312(a)(2)(i)",
"standardName": "Unique User Identification",
"category": "Technical Safeguard",
"status": "PARTIALLY_COMPLIANT",
"severity": "HIGH",
"observation": "Shared login credentials observed for EHR system in billing department. 3 users share 'billing_user' account.",
"regulatoryRequirement": "Assign a unique name and/or number for identifying and tracking user identity.",
"riskDescription": "Shared credentials prevent individual accountability, complicate breach investigation, and violate minimum necessary principle.",
"remediation": {
"action": "Create individual user accounts for all billing staff",
"effort": "2-4 hours IT effort",
"priority": "P1 - Complete within 30 days",
"policyUpdate": "Update Access Control Policy section 4.2"
},
"evidence": {
"documentRef": "Exhibit A, page 12",
"interviewRef": "IT Manager discussion notes"
}
}
}Audit Trail and Retention
HIPAA requires 6-year retention of certain records. The SAISA accommodates this:
Compliance Attestation
The Readiness Certificate for a HIPAA assessment includes additional attestations:
{
"certificate": {
"id": "cert_hipaa_001",
"standardAttestations": [
"Independent cross-model review completed",
"Quality pipeline executed without error",
"Deliverables staged for review"
],
"scheduleHAttestations": [
"No PHI retained in deliverables",
"All examples use de-identified data",
"BAA requirements satisfied",
"Audit logging enabled throughout execution"
]
}
}Limitations
Important limitations to understand:
- AI assessment is not a substitute for formal HIPAA audit by qualified assessors
- The Readiness Certificate does not constitute HIPAA compliance certification
- Some HIPAA requirements (e.g., physical safeguards) require in-person verification
- The agent identifies gaps; human judgment determines remediation priorities
Key Takeaways
- -Schedule H adds healthcare-specific requirements: BAA, PHI handling, 24-hour breach notification
- -Acceptance criteria should reference specific CFR sections for verifiability
- -Minimum necessary principle applies - prefer de-identified data over direct PHI access
- -AI assessment complements but does not replace formal HIPAA audits
Ready to standardize your AI agent contracts?
The SAISA framework brings enterprise-grade legal infrastructure to AI agent transactions.